"And you want to have very well-defined job skills, we use skills competency grids and look for certain sets of [factors] to consider promotions," she said. "As part of our corporate process, we also have to submit proposals to an IT leadership team to ensure that promotions are worthy."
Employee background checks are an area where some IT security leaders admit that they've been forced to rethink their approach based on the globalization of their workforce and the potential for insider attacks.
Doing a rudimentary background check doesn't cut it when you're recruiting people all over the world or candidates who come from or have worked in foreign nations, said Richard Dorough, CISO at manufacturing giant Textron.
"When it comes to background checks, we've had to review our entire hiring process. We've retrenched because we had some inconsistencies in the past," Dorough said.
"We discovered that we were failing at handoffs between different elements of our business, so we changed the process to address that and prevent people from falling through the cracks," he said. "We had also traditionally done only local felony checks, but not national; for people that have sensitive levels of access, you really need to do national checks, or even multinational when you can get them."
Another fundamental tenet of sound IT security management is making sure that workers, both security-specific professionals and generalists, understand why an organization is making the decisions it has made -- and communicating that message to everyone affected, speakers said.
"It's always important to explain your work in the context of business problems," said Dave Morrow, chief security and privacy officer at consulting giant EDS. "Often times we in security are our own worst enemies for not thinking of interesting ways to communicate with business leaders; if you can frame the discussion not as security, but as a business improvement, you'll get a lot more acceptance."